Netgate SG-1000 microFirewall

Author Topic: Suricata ~ Updates Killing Network Connections  (Read 595 times)

0 Members and 1 Guest are viewing this topic.

Offline Teken

  • Jr. Member
  • **
  • Posts: 27
  • Karma: +0/-0
    • View Profile
Suricata ~ Updates Killing Network Connections
« on: January 14, 2018, 11:17:55 am »
Since updating to the last official 2.4.2 P1 release every single day at 12:30 AM and 6:30 PM my entire network shuts down. Upon further audit and review I  found when ever the Suricata program is updating its signatures the system will be locked up doing something which literally kills all network connections in my home.  >:(

Since I update based on six hour intervals starting at 12:30 AM each day it was easy to track. As seen in this image capture when Suricata is updating its data base the load increases several watts from its base 8 watts RMS at 12:30 AM & 6:30 PM.

I have since changed the setting to 28 days until the next scheduled update until such time root cause has been identified and resolved by the development team.

Moving the update period has completely solved this network down issue for me . . .

Thank You!


Offline mais_um

  • Full Member
  • ***
  • Posts: 248
  • Karma: +4/-0
    • View Profile
Re: Suricata ~ Updates Killing Network Connections
« Reply #1 on: January 14, 2018, 02:15:37 pm »
Hi.

Is 0:30 the best update hour? mine is on 4 or 5 AM.

Have you enable or disabled "Live Rule Swap on Update"? on Global settings? what are your interface "IPS Mode" (Goto and edit interface, section "Alert and Block Settings")?
pfSense:
ASRock -> Wolfdale1333-D667 (2GB TeamElite Ram)
Marvell 88SA8040 Sata to CF(Sandisk 4GB) Controller
NIC's: RTL8100E (Internal ) and Intel® PRO/1000 PT Dual (Intel 82571GB)

Offline Teken

  • Jr. Member
  • **
  • Posts: 27
  • Karma: +0/-0
    • View Profile
Re: Suricata ~ Updates Killing Network Connections
« Reply #2 on: January 14, 2018, 05:54:00 pm »
Hi.

Is 0:30 the best update hour? mine is on 4 or 5 AM.

Have you enable or disabled "Live Rule Swap on Update"? on Global settings? what are your interface "IPS Mode" (Goto and edit interface, section "Alert and Block Settings")?

The time could really be what ever I simply left it at the default value. The problem is not just because the network goes out but when it happens I have several Alpha / Beta pieces of hardware that have a really hard time coming back on line once this update happens. I literally have to hard reboot these two devices by removing power remotely via my web hosted switch.

This was NEVER an issue prior to this release  . . .

I did note the option of *Live Rule Swap on Update* but again I never used it in the past. I see no reason to use this as a solution given the previous release operated just fine. If no one is going to take this issue seriously and address it obviously I will have to use that option moving forward.

Quote
what are your interface "IPS Mode" (Goto and edit interface, section "Alert and Block Settings")?

Can you provide a image capture as to where this is I can't find it.

Thank You!

Offline Gertjan

  • Hero Member
  • *****
  • Posts: 2416
  • Karma: +190/-9
    • View Profile
Re: Suricata ~ Updates Killing Network Connections
« Reply #3 on: January 15, 2018, 12:25:02 am »
Hi,

Suricata, when updating uses some Watts ... never saw stats that showed  increased system usage expressed by Watts before.
What about process usage ? RAM usage ? Do they follow the Watt usage ?

Although firewalls like this https://store.netgate.com/SG-1000.aspx shouldn't maybe not using heavy packages as Suricate (I might be wrong here), I wonder what you use for hardware.

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3288
  • Karma: +861/-0
    • View Profile
Re: Suricata ~ Updates Killing Network Connections
« Reply #4 on: January 15, 2018, 09:17:08 am »
@Gertran is on the right track.  Suricata needs a good bit of CPU horsepower, and the more rules you enable the more horsepower it needs.  That needed horsepower includes a pretty fast and capable CPU along with plenty of RAM.  I would say 2GB is cutting it close on RAM.  I would rather have at least 4GB of RAM for Suricata with a lot of rules enabled.

Are any other packages running on this firewall?  That can further add to load, and if you have another package that needs to download daily updates (such as IP lists or something), then perhaps there is a conflict with the update jobs ???

Bill

Offline mais_um

  • Full Member
  • ***
  • Posts: 248
  • Karma: +4/-0
    • View Profile
Re: Suricata ~ Updates Killing Network Connections
« Reply #5 on: January 15, 2018, 09:33:33 am »
@Gertran is on the right track.  Suricata needs a good bit of CPU horsepower, and the more rules you enable the more horsepower it needs.  That needed horsepower includes a pretty fast and capable CPU along with plenty of RAM.  I would say 2GB is cutting it close on RAM.  I would rather have at least 4GB of RAM for Suricata with a lot of rules enabled.

Bill

This is way i point a bad hour to make updates. To me 0:30 is to soon, is this the default?. This updates should be made when less people is connected.


...
Can you provide a image capture as to where this is I can't find it.
...

Image annexed.

@bmeeks is here you should have a good feedback, is the maintainer and the expert.
« Last Edit: January 15, 2018, 10:14:12 am by mais_um »
pfSense:
ASRock -> Wolfdale1333-D667 (2GB TeamElite Ram)
Marvell 88SA8040 Sata to CF(Sandisk 4GB) Controller
NIC's: RTL8100E (Internal ) and Intel® PRO/1000 PT Dual (Intel 82571GB)

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3288
  • Karma: +861/-0
    • View Profile
Re: Suricata ~ Updates Killing Network Connections
« Reply #6 on: January 15, 2018, 02:51:38 pm »


This is way i point a bad hour to make updates. To me 0:30 is to soon, is this the default?. This updates should be made when less people is connected.


I can't remember the package default off the top of my head, but since the package is used all over the world and in different time zones, there is no "perfect" default value.  The creators of the rule packages each have their own update posting schedules based on their local time.  But their local time is not the same as someone in a different part of the world.  So you just need to experiment.  For me, I set my times to 1:30 AM US Eastern and 1:30 PM Eastern and have not had any issues.  I did have issues in the past with the old default of midnight US Eastern and noon US Eastern.

Bill

Offline Teken

  • Jr. Member
  • **
  • Posts: 27
  • Karma: +0/-0
    • View Profile
Re: Suricata ~ Updates Killing Network Connections
« Reply #7 on: January 15, 2018, 05:42:07 pm »
Hi,

Suricata, when updating uses some Watts ... never saw stats that showed  increased system usage expressed by Watts before.
What about process usage ? RAM usage ? Do they follow the Watt usage ?

Although firewalls like this https://store.netgate.com/SG-1000.aspx shouldn't maybe not using heavy packages as Suricate (I might be wrong here), I wonder what you use for hardware.

I haven't been around when the system shuts down the network due to work flow. In the near future I'll schedule it for a time I'm around and confirm what the process / RAM usage is. I'm sure lots of folks haven't ever seen a energy chart placed on this forum to describe a problem. I only did so because it helped illustrate the factual data of when the time event happen and the correlation was a increase in power due to more processing power being called upon.

I know what every single device and circuit consumes, for how long, frequency of, and if there are any out of band readings in the home. If there is my systems shut them down and send alerts to me indicating when and where.

Offline Teken

  • Jr. Member
  • **
  • Posts: 27
  • Karma: +0/-0
    • View Profile
Re: Suricata ~ Updates Killing Network Connections
« Reply #8 on: January 15, 2018, 05:43:28 pm »
@Gertran is on the right track.  Suricata needs a good bit of CPU horsepower, and the more rules you enable the more horsepower it needs.  That needed horsepower includes a pretty fast and capable CPU along with plenty of RAM.  I would say 2GB is cutting it close on RAM.  I would rather have at least 4GB of RAM for Suricata with a lot of rules enabled.

Are any other packages running on this firewall?  That can further add to load, and if you have another package that needs to download daily updates (such as IP lists or something), then perhaps there is a conflict with the update jobs ???

Bill

Hello Bill,

This is a brand new Micro PC I propped up in late 2017 and the hardware specification are these:

Intel(R) Atom(TM) CPU E3845 @ 1.91GHz
4 CPUs: 1 package(s) x 4 core(s)
AES-NI CPU Crypto: Yes (active)

Offline Teken

  • Jr. Member
  • **
  • Posts: 27
  • Karma: +0/-0
    • View Profile
Re: Suricata ~ Updates Killing Network Connections
« Reply #9 on: January 15, 2018, 05:49:17 pm »
@Gertran is on the right track.  Suricata needs a good bit of CPU horsepower, and the more rules you enable the more horsepower it needs.  That needed horsepower includes a pretty fast and capable CPU along with plenty of RAM.  I would say 2GB is cutting it close on RAM.  I would rather have at least 4GB of RAM for Suricata with a lot of rules enabled.

Bill

This is way i point a bad hour to make updates. To me 0:30 is to soon, is this the default?. This updates should be made when less people is connected.


...
Can you provide a image capture as to where this is I can't find it.
...

Image annexed.

@bmeeks is here you should have a good feedback, is the maintainer and the expert.

I do no see IPS Mode in the 2.4.2 P1 firmware release.

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3288
  • Karma: +861/-0
    • View Profile
Re: Suricata ~ Updates Killing Network Connections
« Reply #10 on: January 16, 2018, 07:40:37 am »
@Gertran is on the right track.  Suricata needs a good bit of CPU horsepower, and the more rules you enable the more horsepower it needs.  That needed horsepower includes a pretty fast and capable CPU along with plenty of RAM.  I would say 2GB is cutting it close on RAM.  I would rather have at least 4GB of RAM for Suricata with a lot of rules enabled.

Are any other packages running on this firewall?  That can further add to load, and if you have another package that needs to download daily updates (such as IP lists or something), then perhaps there is a conflict with the update jobs ???

Bill

Hello Bill,

This is a brand new Micro PC I propped up in late 2017 and the hardware specification are these:

Intel(R) Atom(TM) CPU E3845 @ 1.91GHz
4 CPUs: 1 package(s) x 4 core(s)
AES-NI CPU Crypto: Yes (active)

The amount of RAM might be an issue.  It really depends on the number of enabled rules.  When the scheduled updates run, Suricata basically has to load both sets of rules into memory at the same time, then when everything is loaded up it switches over to using the new rules in RAM and discards the old ones.  So for a brief period of time you need almost twice as much RAM as compared to the rest of the running time.  With a limited amount of RAM to start with, this could result in memory paging (the swapping in and out to disk of some RAM content).  Your power spike is simply the physical evidence of the much higher CPU workload during the task.  A higher CPU workload is normal for rule updates.

Bill

Offline Teken

  • Jr. Member
  • **
  • Posts: 27
  • Karma: +0/-0
    • View Profile
Re: Suricata ~ Updates Killing Network Connections
« Reply #11 on: January 16, 2018, 08:48:40 am »
@Gertran is on the right track.  Suricata needs a good bit of CPU horsepower, and the more rules you enable the more horsepower it needs.  That needed horsepower includes a pretty fast and capable CPU along with plenty of RAM.  I would say 2GB is cutting it close on RAM.  I would rather have at least 4GB of RAM for Suricata with a lot of rules enabled.

Are any other packages running on this firewall?  That can further add to load, and if you have another package that needs to download daily updates (such as IP lists or something), then perhaps there is a conflict with the update jobs ???

Bill

Hello Bill,

This is a brand new Micro PC I propped up in late 2017 and the hardware specification are these:

Intel(R) Atom(TM) CPU E3845 @ 1.91GHz
4 CPUs: 1 package(s) x 4 core(s)
AES-NI CPU Crypto: Yes (active)

The amount of RAM might be an issue.  It really depends on the number of enabled rules.  When the scheduled updates run, Suricata basically has to load both sets of rules into memory at the same time, then when everything is loaded up it switches over to using the new rules in RAM and discards the old ones.  So for a brief period of time you need almost twice as much RAM as compared to the rest of the running time.  With a limited amount of RAM to start with, this could result in memory paging (the swapping in and out to disk of some RAM content).  Your power spike is simply the physical evidence of the much higher CPU workload during the task.  A higher CPU workload is normal for rule updates.

Bill

Hello Bill,

My apologies I didn't state how much RAM I have on board. This Micro PC has 8 GB of RAM which should be more than plenty to run pfSense.

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3288
  • Karma: +861/-0
    • View Profile
Re: Suricata ~ Updates Killing Network Connections
« Reply #12 on: January 16, 2018, 09:05:22 am »
@Gertran is on the right track.  Suricata needs a good bit of CPU horsepower, and the more rules you enable the more horsepower it needs.  That needed horsepower includes a pretty fast and capable CPU along with plenty of RAM.  I would say 2GB is cutting it close on RAM.  I would rather have at least 4GB of RAM for Suricata with a lot of rules enabled.

Are any other packages running on this firewall?  That can further add to load, and if you have another package that needs to download daily updates (such as IP lists or something), then perhaps there is a conflict with the update jobs ???

Bill

Hello Bill,

This is a brand new Micro PC I propped up in late 2017 and the hardware specification are these:

Intel(R) Atom(TM) CPU E3845 @ 1.91GHz
4 CPUs: 1 package(s) x 4 core(s)
AES-NI CPU Crypto: Yes (active)

The amount of RAM might be an issue.  It really depends on the number of enabled rules.  When the scheduled updates run, Suricata basically has to load both sets of rules into memory at the same time, then when everything is loaded up it switches over to using the new rules in RAM and discards the old ones.  So for a brief period of time you need almost twice as much RAM as compared to the rest of the running time.  With a limited amount of RAM to start with, this could result in memory paging (the swapping in and out to disk of some RAM content).  Your power spike is simply the physical evidence of the much higher CPU workload during the task.  A higher CPU workload is normal for rule updates.

Bill

Hello Bill,

My apologies I didn't state how much RAM I have on board. This Micro PC has 8 GB of RAM which should be more than plenty to run pfSense.

OK, 8 GB should be plenty of RAM.  A spike in CPU usage and power consumption would be normal, but losing network connectivity is not normal.  That has not been reported by others so far as I can tell, so it appears to be isolated to your case.  Is there anything unusual about your network card?  Is it a USB device or a standard port on the motherboard?  Are you using blocking mode for Suricata or just the default IDS mode?  This is set on the INTERFACE SETTINGS tab for each configured Suricata interface.  You have a choice of two blocking modes when you enable "Block Offenders".  Those two modes are Legacy Mode and Inline IPS Mode.  If you have blocking configured, which of those two modes do you have enabled?

Bill
« Last Edit: January 17, 2018, 11:42:06 am by bmeeks »

Offline Teken

  • Jr. Member
  • **
  • Posts: 27
  • Karma: +0/-0
    • View Profile
Re: Suricata ~ Updates Killing Network Connections
« Reply #13 on: January 19, 2018, 06:13:40 pm »
Block Offenders is not checked on either LAN / WAN interface. The Micro PC has four on board Intel WG82583 NIC's.

Thank You! 

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3288
  • Karma: +861/-0
    • View Profile
Re: Suricata ~ Updates Killing Network Connections
« Reply #14 on: January 22, 2018, 06:52:49 am »
Block Offenders is not checked on either LAN / WAN interface. The Micro PC has four on board Intel WG82583 NIC's.

Thank You!

With that basic setup (no blocking), I really can't imagine a scenario where Suricata could break your network connectivity.  In that default setup you have, it only launches libpcap to get copies of packets coming through the interface so it can analyze them.  That's it.  Are you 100% positive Suricata is the issue?  I know of nothing within the binary that can break your network connectivity, especially with blocking not enabled.  In the GUI, even if that code got really intense, the worst that should happen is the GUI responsivness would suck for a few seconds.

When you say the network "breaks", does it self recover?  In other words, will connectivity come back if you do nothing?  If not, what do you do to restore connectivity?  Those can be troubleshooting hints.

Bill